Zacks Investment Research Confirms Massive Data Breach?

Zacks Investment Research, a prominent American investment research firm known for its data-driven insights and the 'Zacks Rank' stock performance tool, is reportedly grappling with yet another significant data breach. This latest incident, surfacing just a year after a previous disclosure, allegedly impacts approximately 12 million user accounts, raising serious concerns about the company's cybersecurity posture and data protection practices.

In late January 2025, a threat actor known for targeting organizations with valuable data, posted sample data on a well-known hacker forum, BreachForums. The post claimed responsibility for a breach at Zacks dating back to June 2024, asserting the compromise of millions of customer records.

The leaked data, offered to forum members for a small cryptocurrency fee, purportedly includes sensitive Personally Identifiable Information (PII). Analysis of samples suggests the exposed information encompasses:

• Full Names
• Usernames
• Email Addresses
• Physical Addresses
• Phone Numbers

Cybersecurity news outlet, BleepingComputer, diligently attempted to verify the authenticity of the breach with Zacks, but has received no official response as of yet. Adding to the severity of the claims, the threat actor informed BleepingComputer of gaining unauthorized access to Zacks' Active Directory as a domain administrator. This level of access is particularly alarming as it suggests a deep compromise of the company's internal network. The attacker further claimed to have exfiltrated source code for Zacks.com, along with 16 other websites, including internal portals, and shared source code snippets as purported proof.

Have I Been Pwned? Confirms Massive Data Load

Adding weight to the breach claims, the leaked Zacks database has been incorporated into Have I Been Pwned? (HIBP), a reputable service for users to check if their data has been compromised in security incidents. HIBP's analysis confirmed the presence of 12 million unique email addresses within the leaked file. Beyond email addresses, HIBP's validation revealed the leak included:

• IP Addresses
• Names
• Passwords (in the form of unsalted SHA-256 hashes)
• Phone Numbers
• Physical Addresses
• Usernames

It's noteworthy, however, that HIBP indicated that approximately 93% of the exposed email addresses were already present in their database, stemming from previous breaches on the same platform or other services. This could imply a degree of overlap with past incidents, but the sheer volume of new records remains concerning.

A Pattern of Security Incidents?

While Zacks has remained silent on this latest alleged breach, the potential incident, if confirmed, would mark the third major data breach to impact the company in recent years.

• January 2023 Disclosure: Zacks publicly acknowledged a network breach occurring between November 2021 and August 2022, which compromised the sensitive data of 820,000 customers.
• June 2023 HIBP Validation: Have I Been Pwned? validated a separate leaked database originating from Zacks, containing data from 8.8 million individuals. This database was later determined by Troy Hunt, HIBP's creator, to likely originate from a May 2020 incident, indicating a potentially older, previously undisclosed breach.

The repeated emergence of large-scale data leaks associated with Zacks raises critical questions about the effectiveness of their security measures and incident response protocols. The use of unsalted SHA-256 hashes for passwords, as indicated in the HIBP report, is a particularly weak security practice by modern standards and significantly increases the risk of password cracking.

Unofficial Validation and Potential Scenarios

Despite the lack of official confirmation from Zacks, the verification by Have I Been Pwned? lends significant credibility to the claim of a new data breach. Troy Hunt himself has expressed a "very high degree of confidence" that the data originates from a new incident, based on HIBP's validation process.

It is important to acknowledge a less likely, but still possible scenario: that threat actors might be scraping publicly available information and compiling databases, falsely associating them with Zacks. However, HIBP's validation process attempts to filter out such compiled lists, making a genuine breach the more probable explanation.

DevOps and Security Takeaways

This alleged breach at Zacks serves as a stark reminder of the persistent cybersecurity threats facing organizations, particularly those handling sensitive customer data. For DevOps and security professionals, this incident highlights several crucial considerations:

• Robust Access Control: The claim of domain admin access underscores the critical need for stringent access control measures, especially within Active Directory environments. Principle of least privilege, multi-factor authentication (MFA), and regular security audits are essential.
• Secure Password Practices: The use of unsalted SHA-256 hashing is outdated and inadequate. Organizations must adopt strong password hashing algorithms like Argon2, bcrypt, or scrypt, and implement salting to protect user credentials effectively.
• Source Code Security: The theft of source code is a serious concern. It can expose vulnerabilities, intellectual property, and provide attackers with blueprints for future attacks. Secure code repositories, code review processes, and robust security testing are vital.
• Incident Response and Transparency: The lack of official communication from Zacks, despite repeated inquiries, is concerning. Prompt and transparent incident response is crucial for building trust and mitigating reputational damage after a breach. Organizations should have well-defined incident response plans and be prepared to communicate openly with affected users and the public.
• Continuous Security Monitoring: Proactive security monitoring, vulnerability scanning, and penetration testing are essential to detect and remediate vulnerabilities before they can be exploited by attackers.

The Zacks data breach, if officially confirmed, should serve as a wake-up call for organizations across industries to prioritize cybersecurity and adopt a proactive,DevOps-integrated security approach. Protecting customer data is not just a matter of compliance, but a fundamental aspect of maintaining trust and long-term business viability.